Skip to content Skip to site navigation

Privileged Access Workstation (PAW) Self-Service Software Installation

In response to user feedback, we have made it possible for PAW users to install their own software as needed for their work. Users no longer need to work through the Information Security Office (ISO) to get software deployed to PAWs. The self-service software installation process described here enables users to control the software load on their PAWs.

Please note: It is still important to follow the PAW usage guidelines when installing software. See How to Use a Privileged Access Workstation (PAW) for guidelines on suggested and prohibited activities. See the Software not to install section on this page for a list of software that should be installed only on untrusted workstations, never on PAWs.

How to install software

PAWs are protected by Carbon Black Protection in High Enforcement mode. This prevents unapproved binaries from executing. To install software and have it work properly, you must move the PAW into Local Approval Mode before installing software.

  1. Open the BigFix client user interface from the Windows system tray or the Mac menu bar.
  2. Select the [PAW] Move Machine to Local Approval Mode offer from the software offer list and click Accept. The BigFix client UI will present a notification that the action is complete, but this means that your request is in, not that the machine has entered local approval mode.
    select [PAW] Move machine to Local Offer Mode from list of offers
  3. Wait for a pop-up notification informing you that the system has entered Local Approval Mode. This can take a few minutes to appear.
    message informing you that the system is in Local Approval Mode.
  4. Perform your software installations and upgrades.
  5. Important: Move the machine back to High Enforcement by repeating the above instructions but using the [PAW] Restore Machine to High Enforcement Level offer.
    In the offers list, select [PAW] Restore Machine to High Enforcement Level
  6. A pop-up notification will appear to inform you that the system has been restored to Full Enforcement.
    message notifying you that the system has been restored to full enforcement level

Software not to install

The following software packages and classes of software are not approved for use on PAWs and should not be used. Run these in your normal untrusted compute environment.

  • Microsoft Office and other Office-type suites
  • Instant Messaging (Jabber, Slack, etc.)
  • Email clients (Thunderbird, Outlook, etc.)
  • Inbound Remote Access Tools (VNC Server)
  • Media/Publishing Applications (Dreamweaver, Photoshop, Acrobat, etc.)
  • Games
Last modified January 17, 2018